Security Research Center Policy

In today’s world we have become more and more connected to Internet services, software, and hardware devices.

We share our information with our banks, medical institutions, and employers. We share our information with smartphones, smart TVs, smart watches, and other “smart things” in our homes, which usually retain our information in the remote databases outside our control.
These technologies are deeply integrated into our lives and, in many cases, we have become dependent on them, making us vulnerable when the technology fails or our information is not properly protected.

Our research

We conduct security research to locate any data exposures in the databases of various companies, organisations, and institutions.

Typically we use the Shodan search engine to locate unprotected Internet-connected devices. This search engine is publicly accessible, and allows researchers to identify devices and databases that are connected to the open Internet without any password protection or other technological barriers to safeguard the data stored in them. We do not crack passwords or authentication processes or use any other hacking tricks.

Once we discover a publicly exposed database, we report our findings according to the following guidelines:

When appropriate, we provide details of the data exposure to the company, organisation, or institution that failed to protect itself.

We do not modify the data we found.

We allow entities time to remedy the data exposure prior to making any details available publicly that would otherwise cause further risk.

We do not transfer any data to any third parties.

Why do we do this?

Here, in the Security Research Center, we do our best to:

Help businesses build better security by identifying data leaks, and

Raise public awareness to the dangers related to data breaches and security risks in the connected world.

Popular articles

Multi-State Voter Data Leak

If you are a voter in the United States you would expect at least some kind of security of your personal voting data right? Sadly, this election has shown us time and time again just how insecure and unprotected the entire process truly is. It seems to be getting worse, from hacked emails showing the DNC may have tilted the primary elections to multiple misconfigured databases containing millions of voters’ data and voting history. The flow of data this US election is almost overwhelming and just when one news story breaks another one appears before the first one runs the full news cycle.

This week the MacKeeper Security Research Center discovered a publically available database of voter records totalling more than 350K. The records are from multiple states and split among MT / NJ / CA / VA.

California voter_file = 60,744 records

MT voter_file = 50,000 records

NJ voter_file = 72,114 records

VA voter_file = 62,574 records (with party ID, WardCode, VANID)

VA voter_file = 61,995 records

VA voter_file = 46,625 records

354,052 records in total!

The personal information includes names, home address, phone number, gender, date of birth, state voter ID, race, marital status, unique voter ID, date of voter registration, phone number, political affiliation and whether or not they voted in primary elections and more.

Some states restrict how the data may be used and sets restrictions for commercial or charity. Most states require that voter data be used only for political and election related activities, but what if the records are leaked publically and are available to anyone online?

The challenge going forward will be how to secure voter records that are likely already compromised or in some cases for sale by the state election commissions. In September 2015 MacKeeper discovered 2.9 million voter records from the state of Louisiana and discovered a disturbing reality that the state was selling voter records. Louisiana’s system gives you the option of choosing past or present voters and you separate by various demographics (gender, race etc.), specify the party of your choice. The price for buying voter data comes out at $0.01 per name on the list. How or will states and private groups protect voter data or will voter data just become public record similar to court records?

NOTE TO MEDIAWe were not able to identify the owner of this database and seek help from the media or security community to help get the database closed. Please contact us at security@kromtech.com if you have any information or ideas of how to identify the ownership.